Hardening in sshd_config to prevent arbitrary network access behind the firewall where the firewall would otherwise not permit. If one can get around this then the host itself may be missing proper outbound owner-based firewall rules varies by compliance requirements.
nticompass•3mo ago
I'd understand if there was a firewall rule to prevent me from port forwarding to another machine on the same network, but this is the same machine (localhost).
Bender•3mo ago
That is the hardening I was referring to in sshd [1] itself. I updated my comment to clarify sshd_config. Without specifying permitopen and permitlisten one could for example access a service that for whatever reason does not use proper access and authentication controls such as an old installation of reddis listening on 127.0.0.1:6379. Something else to read up on is PermitTunnel and the global forwarding option of AllowTcpForwarding and AllowStreamLocalForwarding. Beyond that another thing to research is MaxSessions which can be abused by phishers that get a shell on ones laptop and facilitating the unlogged bypass of MFA/2FA.
Another option to read up on is "Match" which can modify options for specific users, groups, networks or ports. For example we can disable port forwarding for Bob and enable port forwarding for Alice.
To further limit what that host can talk to one can use the Netfilter "owner" module to limit outbound connections by user or group. So for example only the LDAP user can talk to the LDAP server.
Each org may have different audit and regulatory requirements that determine which if any of these options are utilized. Development orgs and small startups rarely use any of them due to perception of friction.
I guess I don't know all the settings/permissions that SSH can do. I assumed that once I was connected, I could just do whatever I wanted (or whatever my user had permission to do). Thanks for the information!
Bender•3mo ago
Hardening in sshd_config to prevent arbitrary network access behind the firewall where the firewall would otherwise not permit. If one can get around this then the host itself may be missing proper outbound owner-based firewall rules varies by compliance requirements.
nticompass•3mo ago
Bender•3mo ago
Another option to read up on is "Match" which can modify options for specific users, groups, networks or ports. For example we can disable port forwarding for Bob and enable port forwarding for Alice.
To further limit what that host can talk to one can use the Netfilter "owner" module to limit outbound connections by user or group. So for example only the LDAP user can talk to the LDAP server.
Each org may have different audit and regulatory requirements that determine which if any of these options are utilized. Development orgs and small startups rarely use any of them due to perception of friction.[1] - https://man7.org/linux/man-pages/man5/sshd_config.5.html
nticompass•3mo ago